Examining Access Control Vulnerabilities in GraphQL: A Feeld Case Study
Bogdan Tiron
DEF CON 33 (backfill) · Day 1 · Main Stage
In this compelling DEF CON presentation, Bogdan Tiron, a Senior Pentester at Brbridge, delivered a critical analysis of access control vulnerabilities within modern API architectures, specifically focusing on **GraphQL** and **REST APIs**. The talk utilized a detailed case study of Feeld, a popular dating application with over 1 million Android downloads, to illustrate the severe implications of flawed authorization mechanisms. Tiron meticulously uncovered eight distinct vulnerabilities, all stemming from inadequate access controls, which exposed sensitive user data and allowed for unauthorized actions, ranging from reading private messages to manipulating user profiles and even accessing private photos and videos unauthenticated.
AI review
Competent bug-bounty-style case study presenting eight BOLA/BOPLA findings in a dating app. Clean methodology, real findings, responsible disclosure done right — but this is well-trodden ground and the vulnerabilities themselves are textbook IDOR, not novel attack research. Fills a slot, won't define a con.